From 061e2141160c2280880a83f4ca90e238f369caa5 Mon Sep 17 00:00:00 2001 From: "Jan F. Chadima" Date: Fri, 3 Apr 2009 12:37:30 +0000 Subject: [PATCH] - fix logging after chroot - enable non root users to use chroot %h in internal-sftp --- openssh-5.1p1-log-in-chroot.patch | 69 ++++++++++++++++++++++++++++--- openssh-5.2p1-homechroot.patch | 28 +++++++++++++ openssh.spec | 8 +++- 3 files changed, 99 insertions(+), 6 deletions(-) create mode 100644 openssh-5.2p1-homechroot.patch diff --git a/openssh-5.1p1-log-in-chroot.patch b/openssh-5.1p1-log-in-chroot.patch index be1ed35..197fdb9 100644 --- a/openssh-5.1p1-log-in-chroot.patch +++ b/openssh-5.1p1-log-in-chroot.patch @@ -15,15 +15,32 @@ diff -up openssh-5.1p1/sshd.c.log-chroot openssh-5.1p1/sshd.c diff -up openssh-5.1p1/log.c.log-chroot openssh-5.1p1/log.c --- openssh-5.1p1/log.c.log-chroot 2008-06-10 15:01:51.000000000 +0200 +++ openssh-5.1p1/log.c 2008-07-23 15:18:52.000000000 +0200 -@@ -56,6 +56,7 @@ static LogLevel log_level = SYSLOG_LEVEL +@@ -45,6 +45,7 @@ + #include + #include + #include ++#include + #if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) + # include + #endif +@@ -56,6 +57,7 @@ static int log_on_stderr = 1; static int log_facility = LOG_AUTH; static char *argv0; -+static int log_fd_keep; ++int log_fd_keep = 0; extern char *__progname; -@@ -392,10 +393,21 @@ do_log(LogLevel level, const char *fmt, +@@ -310,6 +312,8 @@ + exit(1); + } + ++ if (log_fd_keep != 0) ++ return; + /* + * If an external library (eg libwrap) attempts to use syslog + * immediately after reexec, syslog may be pointing to the wrong +@@ -392,10 +396,33 @@ syslog_r(pri, &sdata, "%.500s", fmtbuf); closelog_r(&sdata); #else @@ -42,16 +59,58 @@ diff -up openssh-5.1p1/log.c.log-chroot openssh-5.1p1/log.c +void +open_log(void) +{ ++ int temp1, temp2; ++ ++ temp1 = open("/dev/null", O_RDONLY); + openlog(argv0 ? argv0 : __progname, LOG_PID|LOG_NDELAY, log_facility); -+ log_fd_keep = 1; ++ temp2 = open("/dev/null", O_RDONLY); ++ if (temp1 + 2 == temp2) ++ log_fd_keep = temp1 + 1; ++ else ++ log_fd_keep = -1; ++ ++ if (temp1 != -1) ++ close(temp1); ++ if (temp2 != -1) ++ close(temp2); +} diff -up openssh-5.1p1/log.h.log-chroot openssh-5.1p1/log.h --- openssh-5.1p1/log.h.log-chroot 2008-06-13 02:22:54.000000000 +0200 +++ openssh-5.1p1/log.h 2008-07-23 15:20:11.000000000 +0200 -@@ -66,4 +66,6 @@ void debug3(const char *, ...) __att +@@ -46,6 +46,9 @@ + SYSLOG_LEVEL_NOT_SET = -1 + } LogLevel; + ++ ++extern int log_fd_keep; ++ + void log_init(char *, LogLevel, SyslogFacility, int); + + SyslogFacility log_facility_number(char *); +@@ -66,4 +69,6 @@ void do_log(LogLevel, const char *, va_list); void cleanup_exit(int) __attribute__((noreturn)); + +void open_log(void); #endif +--- openssh-5.2p1/session.c. 2009-03-20 18:32:01.004151364 +0100 ++++ openssh-5.2p1/session.c 2009-03-20 19:00:28.328742384 +0100 +@@ -1445,6 +1456,7 @@ + if (chdir(path) == -1) + fatal("Unable to chdir to chroot path \"%s\": " + "%s", path, strerror(errno)); ++ open_log (); + if (chroot(path) == -1) + fatal("chroot(\"%s\"): %s", path, strerror(errno)); + if (chdir("/") == -1) +@@ -1632,7 +1644,8 @@ + * descriptors open. + */ + for (i = 3; i < 64; i++) +- close(i); ++ if (i != log_fd_keep) ++ close(i); + } + + /* diff --git a/openssh-5.2p1-homechroot.patch b/openssh-5.2p1-homechroot.patch new file mode 100644 index 0000000..227c394 --- /dev/null +++ b/openssh-5.2p1-homechroot.patch @@ -0,0 +1,28 @@ +--- openssh-5.2p1/session.c 2009-03-20 18:08:11.263662384 +0100 ++++ openssh-5.2p1/session.c 2009-03-20 18:26:29.925498409 +0100 +@@ -1408,6 +1408,7 @@ + const char *cp; + char component[MAXPATHLEN]; + struct stat st; ++ int last; + + if (*path != '/') + fatal("chroot path does not begin at root"); +@@ -1419,7 +1420,7 @@ + * root-owned directory with strict permissions. + */ + for (cp = path; cp != NULL;) { +- if ((cp = strchr(cp, '/')) == NULL) ++ if (((last = ((cp = strchr(cp, '/')) == NULL)))) + strlcpy(component, path, sizeof(component)); + else { + cp++; +@@ -1432,7 +1433,7 @@ + if (stat(component, &st) != 0) + fatal("%s: stat(\"%s\"): %s", __func__, + component, strerror(errno)); +- if (st.st_uid != 0 || (st.st_mode & 022) != 0) ++ if ((st.st_uid != 0 || (st.st_mode & 022) != 0) && !(last && st.st_uid == uid)) + fatal("bad ownership or modes for chroot " + "directory %s\"%s\"", + cp == NULL ? "" : "component ", component); diff --git a/openssh.spec b/openssh.spec index 8c5121d..ff914ab 100644 --- a/openssh.spec +++ b/openssh.spec @@ -63,7 +63,7 @@ Summary: An open source implementation of SSH protocol versions 1 and 2 Name: openssh Version: 5.2p1 -Release: 2%{?dist}%{?rescue_rel} +Release: 3%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc @@ -97,6 +97,7 @@ Patch54: openssh-5.1p1-gssapi-role.patch Patch55: openssh-5.1p1-cloexec.patch Patch62: openssh-5.1p1-scp-manpage.patch Patch65: openssh-5.2p1-fips.patch +Patch66: openssh-5.2p1-homechroot.patch License: BSD Group: Applications/Internet @@ -228,6 +229,7 @@ an X11 passphrase dialog for OpenSSH. %patch55 -p1 -b .cloexec %patch62 -p1 -b .manpage %patch65 -p1 -b .fips +%patch66 -p1 -b .homechroot autoreconf @@ -472,6 +474,10 @@ fi %endif %changelog +* Fri Apr 3 2009 Jan F. Chadima - 5.2p1-3 +- fix logging after chroot +- enable non root users to use chroot %h in internal-sftp + * Fri Mar 13 2009 Tomas Mraz - 5.2p1-2 - add AES-CTR ciphers to the FIPS mode proposal